Malware Analysis Report

2024-10-16 05:20

Sample ID 240331-q9b6xsde24
Target xxx.apk
SHA256 18ebf26a49e2d0781470fd6a2afc8f7f47d480f939ac0fceaaf0d534f0564bf1
Tags
collection evasion persistence spynote
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18ebf26a49e2d0781470fd6a2afc8f7f47d480f939ac0fceaaf0d534f0564bf1

Threat Level: Known bad

The file xxx.apk was found to be: Known bad.

Malicious Activity Summary

collection evasion persistence spynote

Spynote family

Makes use of the framework's Accessibility service

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Requests dangerous framework permissions

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-31 13:57

Signatures

Spynote family

spynote

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-31 13:57

Reported

2024-03-31 14:03

Platform

android-x64-arm64-20240221-en

Max time kernel

301s

Max time network

309s

Command Line

com.whh.premium

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.whh.premium

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 udp
GB 216.58.213.14:443 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 cofira2508-23793.portmap.host udp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
GB 142.250.179.226:443 tcp
GB 216.58.201.100:443 www.google.com tcp
GB 216.58.212.227:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-03-31.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-03-31.txt

MD5 ca7d8ac6124e1626f1c6412913414831
SHA1 f953af9a378db943f9584b381e146233c5d0fbb9
SHA256 0af366b2556fb64ce7226d6e0bc722d0d8a65f10e2fd6df678fa3c9137131dbe
SHA512 1b615d2e9556a060ea21115a4fdd036a5cd29071ce22f5b55e49f7184a7d78aee6cb5cc7ddcf2f44e6860796cb327de0c37faf957d433c04360551342164b1d9

/storage/emulated/0/Config/sys/apps/log/log-2024-03-31.txt

MD5 3853562775362ba1a7b8f551b8978753
SHA1 c2fada066718ce03c48348d1e630c4f57aa156fc
SHA256 50b1c996dea5b9e6e81829e23d8929d9ec46c77a3e1324836e443fe768e6f3dc
SHA512 60c76533611c8213c80192fc6acc954320799335f765b69fb259d5563b04016922c87778ec1d11b2e4bca7043a6cd5e0a0870e65b0c55ef73ef02e108b67e192

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-31 13:57

Reported

2024-03-31 14:03

Platform

android-33-x64-arm64-20240229-en

Max time kernel

302s

Max time network

306s

Command Line

com.whh.premium

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.whh.premium

Network

Country Destination Domain Proto
BE 108.177.15.188:5228 tcp
GB 142.250.200.4:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.4:443 udp
GB 142.250.200.4:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 udp
US 1.1.1.1:53 cofira2508-23793.portmap.host udp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
GB 216.58.204.65:443 tcp
GB 216.58.204.65:443 tcp
US 1.1.1.1:53 i3.ytimg.com udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.201.110:443 i3.ytimg.com tcp
GB 142.250.187.219:443 tcp
GB 142.250.187.219:443 tcp
GB 216.58.212.227:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.178.10:443 remoteprovisioning.googleapis.com tcp
US 1.1.1.1:53 gmscompliance-pa.googleapis.com udp
GB 216.58.204.74:443 gmscompliance-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.200.4:443 udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 udp
GB 142.250.187.227:443 tcp
GB 142.250.187.227:443 udp
GB 142.250.179.238:443 android.apis.google.com udp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
US 1.1.1.1:53 gmscompliance-pa.googleapis.com udp
GB 142.250.200.40:443 tcp
GB 142.250.200.6:80 tcp
GB 216.58.212.194:443 tcp
GB 216.58.212.194:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.200.46:443 tcp
US 216.239.34.36:443 tcp
GB 216.58.212.227:443 tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-03-31.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-03-31.txt

MD5 1c26ecab0d94f2a4b2dfc7bfda43eff0
SHA1 3c89a227f7d5f3b3db5824c4a707f4438bd74cea
SHA256 4b4e3e72c544d8cf6533031bef655dc6f71834c4ec473fa218144a4c0c6014fa
SHA512 513cf924f101091eeff27a8950a6913d557ff4d72696e89df869accc3dd1b5f64c9b519782222e412d04ed50388ee3bc4016cb92ce0809bee56234a3acb5a5d5

/storage/emulated/0/Config/sys/apps/log/log-2024-03-31.txt

MD5 9749192580b2ea878f269ff1664b2d65
SHA1 1672bf5830064ec049195bc4493d8e77be2cad9d
SHA256 db5760c25427f8ca5dd0f92b51c4d5d248621393ea5e33558d44adf8b2066d3b
SHA512 353be6a6b7e13b0a7a91161539a0541e0c9a0868c06e5c40f53182deee46363ddcf60a3f0e07191c5f7c83f128c8fcc39c91f3e7ecc32480970b163f892d18bc

/storage/emulated/0/Config/sys/apps/log/log-2024-03-31.txt

MD5 91ae64ae73518fb1bd4f111688c926fa
SHA1 b715a9b3ba27f8c29532cc846e5caa8fc79fd598
SHA256 a81e0ee18bdf157adde9fa68544f83005a59768c14a8fed9380adf0d9ac3cce7
SHA512 652bbf4afdf4060ef2eb28c5821f6f6e3821b27395863de9122c39957b50cb1c96c1cfb0d56808385fea2ca2afccecba9b962415ccd045abf0086176f8915f1e

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-31 13:57

Reported

2024-03-31 14:03

Platform

android-x64-20240221-en

Max time kernel

309s

Max time network

311s

Command Line

com.whh.premium

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.whh.premium

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 cofira2508-23793.portmap.host udp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
GB 172.217.169.78:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
DE 193.161.193.99:23793 cofira2508-23793.portmap.host tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.35:443 tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2024-03-31.txt

MD5 de2c41a51ee9246eb1708f65b511add0
SHA1 2f442d634c8a18760a232c8829d4b5d74a52f074
SHA256 ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab
SHA512 7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

/storage/emulated/0/Config/sys/apps/log/log-2024-03-31.txt

MD5 1c26ecab0d94f2a4b2dfc7bfda43eff0
SHA1 3c89a227f7d5f3b3db5824c4a707f4438bd74cea
SHA256 4b4e3e72c544d8cf6533031bef655dc6f71834c4ec473fa218144a4c0c6014fa
SHA512 513cf924f101091eeff27a8950a6913d557ff4d72696e89df869accc3dd1b5f64c9b519782222e412d04ed50388ee3bc4016cb92ce0809bee56234a3acb5a5d5

/storage/emulated/0/Config/sys/apps/log/log-2024-03-31.txt

MD5 87616373d931930b3dee83730ccd8ef5
SHA1 9883af15ba75a16fdcafb58989ab8b01d3bf67f2
SHA256 690acce58e0637a6665b77402efa6050957c124a91e226c0159c083d59c39833
SHA512 7ac54e7a1dbe7405f883e70410bf11b1fbf69c61855b864d1c3e4cd671edd1287d0c0be23c22275729da55d58ab000324206469f316a949fdbccc16f4f0d2a27